Compute basics
Compute is a measure of the computational power to fulfill your workload , EC2 allows you to acquire compute via images or virtual servers called instances
Instance types
The instance type defines the virtual hardware supporting the EC2 instance , they vary in the following dimensions
- vCPU
- Memmory
- Storage ( size and type)
- Network performance
The instance types are optimized as below
| c4 | Compute optimized |
| r3 | Memmory optimised |
| i2 | Storage optimised |
| g2 | Graphics optimised |
Enhanced networking
Some instance types support enhanced networking for greater network performance , it reduces the impact of virtualization on networking by enabling a capability called single root I/O virtualization SR-IOV , this gives more packets per second , less latency this will be picked up in VPC
AMI
The amazon machine image AMI is similar to an VM . OVA template , in as such it is a software definition at launch it defines
OS and configuration
Initial state and patching
Application and system software
There are four sources of AMI’s
- Published by AWS
- AWS marketplace
- Generated from existing licenses generate an image from an existing EC2 container
- Uploaded virtual servers use AWS VM import export service ,raw,VHD ,VMDK and OVA
Addressing an instance
There are several ways an instance can be addressed
- Public DNS name when you launch an instance AWS creates a public DNS name and cannot be specified by the enterprise
- Public IP the launched instance will have a public IP address from a pool reserved by AWS, it only persists while the instance is running
- Elastic IP is an address that you can reserve and use for your instance from a pool.It is a public IP address , which persists until the customer releases it and is not tied to the instance
Initial access
EC2 uses public key cryptography to encrypt and decrypt login information
Virtual firewall protection
AWS controls traffic in and out of the instance via a virtual firewall called a security group , which allow you to control traffic based on
Below are the security group attributes
- Port
- Protocol
- source/destination identifies the far end of the communication , can be identified by CIDR block x.x.x.x/subnet or a security group
Security groups have different abilities based on their association with VPC or with EC2
| Type of security group | capability |
| EC2 | Control outgoing instance traffic |
| VPC security groups | Outgoing and incoming security groups |
every instance must have at least one security group, but can have more
A security group is a default deny that is to say it will not allow any traffic that is not explicitly defined by a security group rule
In a case of multiple security groups , the aggregate of the groups is the rule , so if you allow RDP from x.x.x.x and HTTP from 0.0.0.0/0 in two different rules , than the EC2 instance will get both RDP traffic and HTTP traffic
A security group is a stateful firewall , so that ports can fix up, they are applied at the instance level rather than the perimeter
Instance lifecycle
One of the benefits of AWS Ec2 is the ability to bootstrap , that is the ability to run code when the instance is launched
One of the parameters when an instance is launched is a string value called UserData , this string is passed to the OS at launch to be executed as part of the launch , on linux this can be part of a shell script, on windows this can be a powershell script it can do the following
- Apply a patch
- Enrol a directory service
- Install application software
VM import /export
This allows you to import virtual machines from your enterprise ,you cannot export an AMI
Instance metadata
You can use instance metadata to control your instance , you can make a callto the OS without making a call to the AWS API , an HTTP call to http://169.254.169.254/latest/meta-data/ will return the top node of the metadata tree ,some of the attributes are shown below
- Security group ids associated with the the instance
- Instance id
- Instance type
- AMI used to launch the instance
There is a lot more ! see documentation
Managing instances
When the number of instances starts to climb you can use tags to manage them , as you can with other AWS services , you apply ten tags per instance. Monitoring instances is done via Amazon cloud watch.
Pricing instances
You are charged for EC2 instances while they are in a running state, but the amount you are charged depends on the following 3 pricing options
| On demand instances | Price per hour on AWS website Most flexible pricing option since the enterprise controls when the instance is running Least cost effective price per hour of the three options |
| Reserved instances | Make capacity reservation for predictable workloads Can save up to 75% over the on demand hourly rate To reserve enterprise needs instant type and availability zone and the duration of the reservation Two factors determine the cost the commitment and the payment option Commitment is the duration of the reservation, can be one or three years , the longer the commitment the bigger the discount Payment options are All upfrontPartial upfrontNo upfront |
| Spot instances | For workloads that are not time critical and tolerant of interruption. The enterprise specifies a bid price, if the bid price is above the spot price , the enterprise gets the instance Instance will run until
|
If AWS needs to terminate they will send a two minute termination warning
Architectures with different pricing models -EXAM !!!!!
So depending on the need you can have different pricing models per architecture
Website that does Christmas foods gets 20,000 hits per day in December , but at other times gets only 5000 hits per day so you could go on demand pricing for December , but then use reserved instances pricing off peak
Tenancy options
the following tenancy options can help a client achieve security and compliance goals
Shared tenancy
This is the default tenancy model for all EC2 instances , so this basically means that in the AWS data center your sharing a blade with other customers
Dedicated instances
dedicated instances run on hardware that is dedicated to a single customer
Dedicated host
the physical server is dedicated to the instance, this can help meet licensing requirements . This differs from dedicated instances which can launch on any hardware dedicated to the account
Placement groups
A placement group is a logical grouping of instances within an availability zone , so chatty applications that need to talk to each other can do so with low latency 10 Gbps network, remember to exploit this you need to choose an instance type that supports advanced networking
Instance stores
provide temporary block storage for your instance , is physically attached to your server and is ideal for storing data that changes frequently . The keys aspect of instance stores is that they are temporary data in the instance store is lost when
- underlying disk drive fails
- the instance stops (data persists on reboot)
- instance terminates
Elastic block store
The limited persistence of block stores means that they are ill suited for more durable workloads, to get around this problem AWS uses Elastic Block Store , whose volume is automatically replicated within its availability zone . Multiple block stores can be added to an instance
Types of EBS volumes
There are several different types
Magnetic volumes
these have the lowest performance , and the lowest cost , they range in size from 1 GB to 1 TB and average 100 IOPS , but can burst to hundreds of IOPS they are best used for
- work loads where data is accessed infrequently
- sequential reads
- low cost is required
they are billed on size of disk not what is stored on them
General purpose SSD
Suitable for a wide range of work loads , they size from 1 GB to 16 GB and provided 3 IOPS per GB provisioned which is capped at 10,000 IOPS, so a 1 TB volume will provide 3,000 IOPS , a 5 TB volume wont give you 15000 IOPS because of the cap.They are suited for a wide range of work loads such as
- system boot volumes
- small to medium sized databases
- development and test environments
Provisioned IOPS SSD
Designed to meet the needs of I/O intensive work loads , such as database workloads , they are the most expensive work load , they range in size from 4 GB to 16 GB .You can stripe multiple volumes together in a RAID 0 configuration, pricing is based on the size of the volume and the IOPS reserved. they can provide 20000 IOPS and are suitable for
- Critical business applications
- large database work loads
Protecting Data
When working with instances you need to be able to perform back up and recovery of EBS volumes via snap shots. They can be taken in the following ways
- AWS management console
- Through the CLI
- Through the API
- a schedule of regular snap shots
snapshot is stored on system S3 , hence you need to use the EBS console to manipulate them
Creating a volume from a snapshot
to use the snap shot you create a volume from the snap shot , when you do this the volume is created immediately
Recovering Volumes
Since EBS volumes persist after an instance fails , it is straight forward to detach the volume and attach it to another instance so that the data can be retrieved.
Encryption volumes
when you launch an encrypted volume , amazon uses the KMS ( key management system) to handle the key management via industry standard AES-256 algorithm. The encryption happens on the servers where the volumes are attached
Summary
- To launch an instance you must specify an AMI which defines the virtual hardware , memory vCPU etc
- spot instances are best for work loads that can tolerate interruption, reserved instances are are best for long term compute needs, on demand instances provide flexible platforms that can scale to need
- on demand instances can be used to scale up a web application running on reserved instances in response to a traffic spike.
- Enhanced networking enables you to get higher through put , lower jitter and latency
- –via public IPv4, elastic IP or public DNS
- Data in an instance store is lost when the instance is stopped or terminated , though of course would survive an OS reboot
- On demand instances require no up front commitment , and can be launched at any time and are billed by the hour .Reserved instances require an upfront commitment .Spot instances are launched when your bid price exceeds the spot price, spot instances will run until the spot price exceeds your bid price , in which case you get a 2 minute warning .
- Every instance type is rated for low medium or high , or 10 Gbps network performance, with larger instance types being rated higher , some instance types are network enhanced.
- Metadata is information about an instance , such as instance ID , instance type , and security group, available over HTTP.
- Security groups are virtual firewalls that control traffic in and out of your EC2 instance, they deny by default , and you can specify traffic direction , port protocol and destination address via CIDR block, they are stateful meaning that an outgoing rule will allow response without a corresponding incoming rule.
- Magnetic volumes provide an average performance of 100 IOPS and can be provisioned up-to 1 TB.They are good for cold and infrequently accessed data .General purpose SSD volumes provide 3 IOPS / GB up to 10,000 IOPS , with smaller volumes able to burst 3000 IOPS . They can be provisioned up to 16 TB
- Any volume type can bee encrypted at launch , encryption is built on AWS KMS and is transparent to attached instances
- snapshots provide a point in time backup of an EBS volume and is stored in S3 , subsequent backups are incremental and they only store deltas
/ UCCE / AWS / azure/Security / IP-PBX 